SB2020042807 - Multiple vulnerabilities in Kiali

Description

This security bulletin contains information about 2 vulnerabilities.

1) Insufficient Session Expiration (CVE-ID: CVE-2020-1762)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an insufficient JWT validation. A remote non-authenticated attacker can steal a valid JWT cookie and gain unauthorized access to session that belongs to another user, possibly gain privileges to view and alter the Istio configuration.

2) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2020-1764)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote attacker to gain unauthorized access to the system.

The vulnerability exists due to presence of a hard-coded cryptographic key in the default configuration file. A remote attacker can create their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Remediation

Install update from vendor's website.

References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1762
• https://kiali.io/news/security-bulletins/kiali-security-001/
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764